Exploring the Vulnerabilities: The “Log in with…” Feature’s Path to Full Online Account Takeover

Flaws in OAuth Implementation Put Millions of User Accounts at Risk

A recent report by Salt Labs has revealed critical flaws in the implementation of the Open Authorization (OAuth) standard on several online services, including Grammarly, Vidio, and Bukalapak. These flaws could have exposed hundreds of millions of user accounts to credential theft, financial fraud, and other forms of cybercriminal activity. The researchers believe that numerous other websites may also be compromised in the same way.

The “Pass-The-Token” Flaw

The researchers discovered what they refer to as a “Pass-The-Token” flaw in the OAuth implementation on these sites. This flaw allows an attacker to use a token from a third-party site, typically owned by the attacker, to log in to another service on behalf of a user. For example, if a user logs in to a site owned by the attacker, the attacker can then use the user’s token to log in to other sites, potentially compromising their accounts.

Misconfigurations on Vidio, Bukalapak, and Grammarly

The researchers found different manifestations of the OAuth flaw on each of the three sites. On Vidio, the online streaming platform, the researchers discovered that the site did not properly verify the access token when users logged in through Facebook. This allowed an attacker to manipulate API calls and insert an access token generated for a different application, potentially leading to account takeover on thousands of accounts. The same issue was found on Bukalapak, an Indonesian e-commerce site, where the researchers could insert a token from another website to access a user’s credentials and completely take over their account. The OAuth issue on Grammarly, an AI-powered writing tool, enabled the researchers to manipulate API exchanges and obtain users’ credentials for full account takeover.

Secure OAuth Implementation

The OAuth standard itself is well-designed and has secure servers protecting major providers like Google and Facebook. However, the flaws discovered in the implementation of OAuth on these sites highlight the need for developers to ensure secure implementation from the start. While OAuth functionality can be added easily to websites, developers must have a solid understanding of how OAuth works and be aware of common pitfalls that attackers can exploit.

Third-Party Tools and Monitoring

Developers can also use third-party tools that monitor for anomalous behavior and deviations from typical OAuth exchanges. These tools can help identify as-yet-unknown attacks, providing an additional layer of security for websites and their users. Implementing proper monitoring can help mitigate the risk of account takeover and other cyber threats.

Editorial: Strengthening Online Security

These recent findings highlight the ongoing challenges in ensuring the security of online services and protecting user accounts. While OAuth offers convenience and ease of use for users, it also introduces potential vulnerabilities if not implemented correctly. It is crucial for developers to prioritize security when integrating OAuth into their websites and applications.

This incident is a reminder of the importance of ongoing monitoring, vulnerability testing, and prompt bug fixes. Companies must ensure that thorough security assessments are conducted regularly to identify and address any flaws in their authentication systems. Additionally, cooperation between researchers and companies is essential in detecting and resolving security issues before they can be exploited by malicious actors.

As users, it is essential to be vigilant and mindful of the services we use and the permissions we grant to third-party applications. Regularly reviewing and revoking unnecessary access privileges can help reduce the risk of unauthorized access to our personal information.

The discovery of these OAuth flaws serves as a wake-up call for both developers and users to prioritize cybersecurity. As technologies continue to evolve, adversaries will exploit any vulnerabilities they find. It is our collective responsibility to ensure robust security measures are in place to protect our sensitive information in the ever-expanding digital landscape.